Privacy policy

Devecto Oy’s customer and marketing register

A privacy policy in accordance with EU’s General Data Protection Regulation (GDPR)

Updated 15/03/2021.

1. Data controller
Devecto Oy (Business ID 2616184-9), Vapaaherrantie 2, 40100 Jyväskylä

2. Contact person for issues concerning the register
Admistration Manager Marja Kettunen marja.kettunen<at>@devecto.com

3. Name of the register
Devecto Oy’s customer and marketing register

4. Purpose and grounds of processing personal data

According to EU’s General Data Protection Regulation processing personal data shall be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes or the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Devecto Oy’s customer and marketing register is used for delivering products and services, establishing, carrying out, maintaining and developing customer relationships.

Personal data is not used for automatic decision making or profiling.

5. Data content of the register
The register may include the following information:

Name
Organisation and position
Organisation’s address details
Email address
Phone number
Other information disclosed by the data subject
Information about the ordered services
Invoicing address
Other information related to the customer relationship

6. Regular data sources of the register
The data of the marketing register is obtained via customer relationships, from Devecto Oy’s website (contact forms, cookies), as well as from publicly available Internet sources.

7. Regular disclosure of data

Personal data can selectively be disclosed to third parties authorized by the data controller for communication purposes about related products and services. The ownership of the data is not transferred and the use of the data is limited to the authorized activities. The data controller can also disclose personal data to third parties when required by the Finnish authorities. Devecto can provide personal data to debt collection agencies when necessary. Personal data is handled on behalf of Devecto Oy by:

ActiveCampaign Inc.
Teamtailor AB
Visma Solutions Oy

8. Data transfer outside the EU or the EEA

As a general rule, Devecto Oy does not transfer or disclose the customer’s personal data outside the European Union or the European Economic Area. However, if necessary, the data may be transferred or disclosed outside the European Union or the European Economic Area in the manner permitted by the Personal Data Act if:

Whenever possible, Devecto Oy has chosen secure data centers located in Europe as the storage location for personal data. Some of the above providers and / or registrars may back up data outside the EU / EEA to the United States. The data is backed up so that the data is safe even in situations where the main servers fail.

the data is transferred to the country or an organization located in a country where the European Commission has determined that the level of data protection is adequate, or
contractual arrangements can ensure an adequate level of data protection, or
if the data subject has given his consent

9. Regular protection of the register
Personal data shall be kept confidential. Only such persons employed by Devecto Oy, who need the data for carrying out their work duties, have the right to use and access the register. The data network and equipment of the data controller and its potential IT partners, where the register is located, are protected with firewalls and other necessary technical procedures.

Agreements and other manually processed documents are stored in locked facilities which can only be accessed by separately designated persons. In addition, physical access to the facilities is prevented by security measures.

10. Right to review and to demand the rectification of data and to request data removal
The data subject has the right to review his/her data contained in the register. Data can also be corrected or removed at the request of the data subject. Requests are addressed to the email address mentioned in Section 2. The data controller has the right to require identification.

11. Other rights concerning the processing of personal data
Data shall be retained in the register for ten (10) years and they shall be stored in a confidential manner. The data subject can choose to authorise longer term retention of data, if he/she wishes.